Logging In

At this point I also have a choice: I can either use the calculator
from a separate terminal every time I login, or I can print myself a list
of responses and regenerate a new list whenever I run out of
responses. Let's try both methods, starting with the first:

login: dlavigne6
otp-md5 498 dh0391 ext
Password:

Notice that when I login, I receive an OTP challenge.
opie is waiting for the response, or one-time password,
associated with counter 498. By default, users can decide whether or not
to use OTP when they login. If I decide instead to type in my reusable
password, it will be accepted and I'll login as usual.

If I decide to login using OTP, I'll first need to calculate the
correct response. It doesn't matter where I use the calculator, as
long as i don't use it over a non-encrypted network connection. I
could use the calculator from another virtual terminal; for example, I
could press Alt-F3, login locally and run the calculator. Alternately, if
I have access to another computer in the room, or even a Palm Pilot
running the calculator software, I could calculate the response there.

In order to use the calculator I need to know three things:

the current counter

my seed

my secret pass phrase

The current counter and seed are displayed in the challenge. However,
it is important that only I know my secret pass phrase; otherwise, anyone
could calculate the response and login as if they were me.

When I use the calculator, I include the count I need the response for
as well as my seed:

This time, instead of typing my reusable password, I pressed Enter
which turned on echo. This allowed me to see the response as I typed
it. Echo is a bad thing with reusable passwords which is why it is always
off. However, with a one-time password, it doesn't matter if anyone sees
me typing it as it can't be reused. Also, unlike a reusable password, the
response is not case sensitive so it doesn't matter if I type it in upper
or lower case.

Now if I do an opieinfo, I'll see that the next expected
response will be for counter 497. That is, every time I use a one-time
password, the counter is decreased by one. I can merrily continue to
calculate and use up my responses; I need only be careful that I never let
my counter decrease to 0.

Generating Multiple Keys

It may not always be convenient to use the calculator every time you
want to login. Let's demonstrate the second method, where a list of
responses is generated.

This time, I'll use the number or n switch with the
calculator, to indicate how many responses I'd like to calculate. Here,
I'll generate a list of 10 responses, starting at the next expected count
of 497:

I now know what my next ten passwords will be. At this point, I could
copy them to a piece of paper and store them in a safe place such as my
wallet. Alternately, when you generate your own list, you could send the
output to a file like so:

$ opiekey -n 10 497 dh0391 > secretlist

and print the list. Be careful to remove that file from your hard drive once
you've printed it as you don't want to keep a copy of your next ten passwords
on your hard drive.

If my counter gets dangerously low, say around 10, I should reset it using
the opiepasswd command. Once you're in the password database, use
the n or number switch in combination with the s or
seed switch instead of the c switch. In the next example, I'll
reset the counter back to 499 and change my seed to dh1357. When I do so, I'll
be prompted for the response associated with my current counter, which happens
to be 8:

Finishing Up

At this point, you may be wondering when would be the best time to
actually use OTP, since you have a choice of using either OTP or a
reusable password whenever you receive a login prompt. You probably won't
use OTP when you login to a remote computer as you should use SSH for that
purpose. Since SSH ensures that all of your information is encrypted, it
has no need for OTP and hence does not support OTP. However, OTP can be
appropriate when you need to login to your computer and you are concerned
about "shoulder surfing" or someone else noticing your password as you
type it in. For example, you may be in a crowded area with your
laptop. Your computer may happen to be located in a high traffic area,
which increases the possibility of someone noticing what password you use
to login.

It is convenient to leave users with the choice of using or not using
OTP depending upon the likelihood of someone else noticing their password
when they need to login. It is also possible to change this default and
configure your FreeBSD system to force users to always use OTP. The
original way to do this was to create a file called
/etc/opieaccess. However, this method is considered to be a
security hole and is even cautioned against in man
opieaccess.

The preferred method is to use Pluggable Authentication Modules
(PAM). Since I want to spend a fair bit of time on PAM, I will end this
week's article here. In the next article, I'll introduce PAM, then carry
on by configuring OTP as an example.

Dru Lavigne
is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.